From 466c6ebf0e9e4a75eb3b14e97766b6fb8707b4d3 Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Fri, 8 Jun 2018 17:05:45 +0000
Subject: [PATCH] tls: require trusted_ca when using verify_subject_alt_name.
 (#3550)

SAN-based verification without trusted CA is insecure, since provided
values are easily spoofable.

Becasue of how the existing verification code is structured, this was
already enforced at run-time, and all certificates were rejected when
trusted CA wasn't specified, but previously it wasn't obvious why.

*Risk Level*: None
*Testing*: bazel test //test/...
*Docs Changes*: Added
*Release Notes*: n/a

Fixes #1268.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 72db143131c1030e7c448e034a1a08980dc826f9
---
 envoy/api/v2/auth/cert.proto | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index 39cbb0a7..e1843c28 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -191,6 +191,12 @@ message CertificateValidationContext {
 
   // An optional list of Subject Alternative Names. If specified, Envoy will verify that the
   // Subject Alternative Name of the presented certificate matches one of the specified values.
+  //
+  // .. attention::
+  //
+  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
+  //   therefore this option must be used together with :ref:`trusted_ca
+  //   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
   repeated string verify_subject_alt_name = 4;
 
   // [#not-implemented-hide:] Must present a signed time-stamped OCSP response.